Business-Suitable Document Authentication System?

ram.loss writes "The company I work for has decided to go paperless for all memos and internal correspondence. In addition to the central administration, the company has three more or less autonomous, physically separated divisions; that means we do not have a common IT infrastructure across all of them. Since I am the only resemblance we have to an IT department at my division, I have been commissioned with evaluating the available technology to manage and authenticate all correspondence, although it is not my area of expertise (I have a CompSci degree, but for many years have specialized in transportation modeling software). My initial thought was to use a document management system like Plone (this is the system I'm familiar with); from what I have read, that would take care of the management part, but what about authentication? We need each document to be signed, and a fully auditable system that keeps track of who signed what document, who received it and when. It also must take into account the handling of external correspondence in the future, where a recipient outside the company must have the means to return an authenticated document as a response. I'm aware that I'm leaving out a lot of details, like how the documents will be signed, the legal implications, etc., but for the time being I'm only interested in the experiences of the Slashdot crowd with such systems, and hopefully finding out enough information to hand over the matter to (or hiring) somebody more qualified, once I know what to look for. Has anybody out there used a similar system? Am I in way over my head?"

SharePoint

Microsoft SharePoint can handle most of what you need out of box, and you can configure and customize what you need for the rest, I believe.

Re:SharePoint

[YrWrstNtmr]

One of the main issues with SharePoint (aside from the whole MS ecosystem) is that it is a large complex beast. Once you move beyond the base SharePoint Services and into SharePoint Server, the maintenance will drown you. Especially if you are only one deep.
And I say this as a SharePoint admin/developer for a large US govt organization.

But yes, the base SharePoint Services 3.0 and upcoming SP Foundation(2010) will do pretty much everything he's asking for. And it's free (beer), if you are already running Server2003 or Server2008.

Also, FAR more requirements gathering is needed. What do the bosses really want?

Re:SharePoint

[owlstead]

SharePoint is underrated???? Oh, my god. It's vastly overrated. It's Microsofts proprietary, not well thought of solution on how to do distributed, eh, things with Office document. I've had horrible problems even when doing any kind of version control on documents. I mean, isn't that the whole point of SharePoint? I can delete a document, upload a new one with the same name and it will *revert back* to the old version! Oh, yeah, you can do it online, if you use IE *and* know how to do it.

Recently I've been using the discussion board of SharePoint to distribute programming tips. I've never had a program refuse *those* particular (perfectly valid) HTML tags - without any warning whatsoever of course. I've made a howto on how to read the posts on the discussion board - never mind posting your own. You ask: what's that got to do with it? Well, the whole implementation of SharePoint lets any apt programmer scream Nooooooooooohhhhhhhhh from behind it's terminal. It's simply *that* bad.

I mean, I cannot even find anything using the software. I created the discussion board, and I could not get it to the front page, neither could the administrator. It's just a horrible mess. I mean, this is software that refuses to put a PDF icon in front of PDF files! Oh, yee gods, I hate that piece of crap.

As for the signing and verifying - the request of the Ask SlashDot: do you say that there is a good method of doing just that? Because I haven't seen it, but that might be because it is there and I refused to RTFM - if only to skip reading the EULA that's undoubtedly put right in front of it.

Try Knowledgetree

[PdbAqB]

Try Knowledgetree - It's open source, has workflow and it is fully audited: http://www.knowledgetree.com/solutions/industry-solutions We use it in our law firm (I manage it - we are relatively small http://1p.com.au/ and it runs without any specific expertise. I have previously tried other solutions without success. We also really appreciate knowledgetree's ability to interact seamlessly with MSOffice etc. Good luck

Altec's Doclink

[bensode]

It's not free but it is a nice system with strong permission controls and customizable workflows.

http://www.altec-inc.com/products/doc-link/index.html

Lotus NotesDomino

[kirthn]

Lotus Notes/Domino by IBM takes care of all that...including external branches, ditigital signatures, track of who has been reading it, who where the previous readers etc etc... etc...we have been using it extensively and provides everything you just described.....

Re:Lotus NotesDomino

[kirthn]

it's because Lotus notes is not being used well....the outsiders think it's an e-mail system, while in fact that aspect is only 10% of its capabilities...

it's a basically a high-security databse system with unique features...like replication and deep built-in security and encryption....just like that out of the box...

don't use a hammer as a screwdriver ;)

EPM

[hkabbaj]

Look at https://www.uspsepm.com/ document integrity and authentication. https://my.inscrybe.com/ supports workflow and multiple signings and incorporates the epm.

Try the LOPSA mailing list

[Saint+Aardvark]

Try posting this on the LOPSA mailing list. It's an excellent resource, with lots of sysadmins in different environments hanging out. If you're not a member, email me (aardvark atsign saintaardvarkthecarpeted dot com) if you'd like me to post to the list on your behalf. You might also want to try the IRC channel #lopsa on Freenode.

Membership is only $50/year, and access to the mailing list alone is worth every penny. I'm a member, and it's saved my butt on occasion. Even if you're not a sysadmin, this is definitely a sysadmin-type question, and I think you'd benefit from being able to ask questions on the list.

Possibly Lotus Domino; Need more info

[thebiss]

You'll need to elaborate on two things to get good answers:
  - What is a document? Rich text, or scanned paper, physical paper, or something else?
  - What is authentication? Tracking electronic versions from creation, through revisions, to finalization, or something different like confirming that physical document "A" is the same as physical document "B"?

I know of solutions for the case where documents are soft copy rich text with images and and attached scanned documents. A Lotus Notes database can be easily created to track such documents, prevent over-writes, track revision histories, etc. I work for a pretty big consulting firm, and we use Domino-based systems for things like this all the time.

Some caveats -
- Domino's is easily setup, but requires product knowledge to perform well and scale. How big is your firm?
- Users will need to have Notes IDs to work with the system, as ID (certificate) + password based PKI is the foundation of Domino's authentication mechanism.

Some benefits -
- Depending upon the setup, users will be able to work with documents via your corporate intranet.
- Depending upon the setup, replication (think synchronization) can enable users to keep local copies of this data, for access while they are outside of the intranet.

Access for outsiders is more complex.
- If the outsiders are trusted (e.g. auditors,) the solution may be to give them Notes IDs and grant them access to the intranet and this system.
- If the outsiders are end-users (e.g. E&Y clients submitting their 2010 US tax forms,) then you may be into custom application space. I'll skip the plug for my company.

alfresco and sharepoint

I second the "Alfresco" suggestion. It has Records Management capabilities that satisfy the Government Records keeping requirements (5015.2). SharePoint is another option that has similar record keeping functionality that can be added.

Re:What? Are you trying to do?

[ram.loss]

Hi, original poster here.

Yes, I am aware there are too many details left hanging, that's why I need to hear from someone that has worked with a similar system to at least have an idea what kind of project are we dealing with. From listening to the managers, we need some serious talking to do before a formal proposal is made.

For starters, there's not much money available for the hypothetical system, so that will probably be a showstopper. When i say "documents" I mean anything that when printed on paper has to have a signature (as in "written with a pen") that identifies who wrote it/approved it, most likely a PDF file when talking about an electronic document.

I share your bafflement about the purpose of all this, presumably they want to eliminate all the time needed to move paper around four different locations, and it can't be done by e-mail due to the signature requirements (internal rules, legal implications among other things, lets not delve too much into that just now). But I think they really have not thought through all the added costs.

Re:PGP + really any collaboration software

[DarkOx]

Actually it is business friendly in that chances are others you may work with are already using it. Its as close to standard as you can really get. The DOD uses it, and we have to use it to sign everything we send back to them. Lots of Orgs to work with the DOD given its a hard requirement for communication with them in many cases its pretty common out in the wild.